Skip to main content

Most Small Firms Underestimate Cyber Attack Costs, Recovery Time

A new survey has found that most small businesses vastly underestimate the recovery costs after a company is hit by a cyber attack and the time it takes to recover.

Nationwide Insurance’s “Agency Forward” survey found that 40% of small business owners estimate that a cyber attack would cost their organization less than $1,000, and 60% said it would take less than three months to recover fully. Those are significant underestimates, reflecting how little most owners know about the actual effects of these increasingly sophisticated attacks.

The rose-colored view is complicated because small businesses are now the main target of cyber attacks, particularly ransomware. As a result, many companies are not taking the appropriate steps to guard against attacks and may also forgo securing cyber insurance.

And that can be a mistake as the average cost of a cyber-attack claim is between $15,000 and $25,000, according to Nationwide. Additionally, the insurer states that the average recovery time for a business after an event is 279 days. Most small businesses fail within six months of an attack. But many never recover.

Nationwide found that about 28% of small business owners said they have cyber coverage, compared to 71% of middle-market businesses.

Cyber-attack costs can mount quickly. After an attack and assessing the damage, a business may be faced with a number of expenses for:

• Systems and operational recovery,
• Data restoration,
• Addressing reputational damage, and
• Legal costs.


Worse yet, most small companies have not installed safeguards to protect against attacks. The survey found that:

• Only 48% of small business owners said they felt prepared to prevent a cyber attack (compared to 83% of mid-sized firms).
• 56% said they conducted cyber-security training at least once a year (94% of mid-sized firms hold training).

Protection against attacks

Malware is the most significant threat, accounting for 50 to 70% of attacks in the small business sector. Malware is software — such as viruses and ransomware — intentionally designed to
cause disruption and damage to a computer or network or to gain unauthorized access to private information.

You can thwart the criminals by:

Educating your employees — Regularly update your staff on new security protocols. Send out regular reminders not to open attachments or click on links in e-mails from people they don’t know or expect. The more your employees know about cyber attacks and how to protect your data, the safer your business will be.

Implementing safe-password practices — Have employees use complicated passwords and change them regularly every 60 to 90 days.

Using robust security platforms and protocols — That includes installing web application firewalls and using secure payment gateways if you accept credit cards online. Your website hosting company should regularly patch security vulnerabilities, and you should ensure that all computers have antivirus software installed.

Regularly backing up all data — That includes databases, financial files, human resources files, and accounts receivable and payable files.

Cyber insurance

Even with the protections in place, companies still can suffer an attack. If it’s a ransomware attack, your systems may be unusable until the ransom is paid.

Fortunately, cyber insurance can help pay for the costs associated with an attack, including expenses related to recovery, lawsuits, and ransoms. Coverage will differ from carrier to carrier, so it pays to call us to discuss your options.